Welcome to the IACT-Africa and PTC POPI Act/POPIA Implementation Guide for small and medium enterprises. It is your guide for implementing a set of appropriate practices for achieving and maintaining compliance with the POPI Act. The context of such measures is a requirement contained in the POPI Act Regulations published December 2018 which requires a compliance framework to be established and maintained.
The I-A-C-T methodology enables alignment with standards and frameworks such as ISO 29100 (privacy Framework), ISO 27701 (Privacy Information Management System) and the NIST Cyber Security framework. It is also your guide for protecting the personal information for which your organisation is responsible. This is guide is designed to help you to implement the IACT-Africa & PTC POPIA Compliance Essentials Licence Toolkit and is not a free standing guide.
The subject of protecting personal information is often seen as a legal compliance issue and while this is true, there are many good business reasons to implement the practices covered in this guide.
We know from experience this guide will enable you to walk a successful journey and to implement a set of effective measures for complying with POPIA and protecting personal information. We are available to help you with any questions or challenges you encounter through our support channels.
If you are new to the POPI Act/POPIA, we recommend that you read the Camargue Protection of Personal Information book as well as the POPI Act Regulations published in December 2018. Please contact us if you need these documents.
. John Cato and Dr Peter Tobin jointly own the copyright for the contents of this guide and the original intellectual property items contained in the POPIA Compliance Essentials Licence Toolkit.
Purpose and Scope of the Guide
The purpose of the guide is primary to enable small businesses to implement a POPIA and PAIA compliance framework without the need for significant support services. In view of this, the guide covers the minimum set of compliance toolkit items. We therefore do not warrant that it covers items contained in the more comprehensive POPIA and PAIA Compliance Toolkit.
The methodology guides you along a proven compliance implementation process. It consists of 4 phases and is known as the POPI Act I-A-C-T compliance methodology. The 4 phases are:
Initiate – Initiate your project with the required people and agreed timeframes
- Assess – Assess your current state of compliance
- Consider – Consider what you have discovered in the Assess phase
- Translate – Translate what you consider to be appropriate into implementation actions.
It is important to follow the 4 phases as many organisations want to implement a set of policies and tick a few boxes so that they can claim to have complied with the requirements of the POPI Act.
Organisations who only implement policies, for example, miss many vital activities which are needed such as managing personal information, related risks, supplier contract management and many others. They also miss great business benefit opportunities which good privacy and data protection practices can give an organisation. We therefore encourage you to walk the complete journey.
The POPI Act I-A-C-T compliance methodology is designed to help you establish compliance with the POPI Act/POPIA as its primary objective. An important additional benefit from the methodology is that the compliance measures you implement are aligned with standards and frameworks such as ISO 29100 (Privacy Framework standard), ISO 27701 (Privacy Information Management System standard) and the NIST Cyber Security framework. Should you seek to align further with these or obtain certification in one or more of them, the measures will serve as a valuable foundation. They can also be used as reference points for decisions you make during your project.
The primary objective for your project should be to achieve compliance with the requirements contained in POPIA and in the Regulations published in December 2018. The output (compliance measures) from your project will serve as essential evidence for your compliance and will be very important should a complaint be lodged against your organisation and/or an investigation be conducted by the Information Regulator.
The driver for this can be found in section 109 in POPIA which states that where there is insufficient evidence of policies, procedures and personal information risk assessments being in place, fines will be higher than if they are in place. In summary, prevention is better than cure!